Web Criminals Go Phishing...

Steve DelBianco ...With Phony Bait And No License

Introduction
Just when online users were learning to defend themselves against spam, viruses, and spyware, an even more dangerous enemy of e-commerce has emerged. Known as “phishing”, this scourge is a type of identity fraud using phony e-mail messages or Web sites to lure unsuspecting users into surrendering bank account, credit card, or other personal information.

Citibank and eBay/PayPal are the brands attacked most often, but phishers have even disguised themselves as the US government’s Regulations.gov site to fool and defraud citizens. Greater user awareness about phishing tactics and greater use of digital signatures backed by rigorous standards and authentication are keys to stopping phishing and restore consumers trust and confidence in e-commerce.

The phishing’s getting better all the time
Instances of phishing scams are on the rise, rivaling the online scourges of spam, viruses, and spyware. For example, in April 2004, the Anti-Phishing Working Group (APWG) detected 1,125 unique new phishes. That's a 180% increase over the previous month, when only 402 new phishes were reported. Phishing represents an extensive and expensive threat to online users and e-commerce firms in several ways:

  • Consumers lose their credit and credit ratings. Unlike spam, which overwhelms e-mail servers and harasses users, the identity fraud facilitated by phishing can cause serious and sustained damage to one’s credit record and personal finances. The frequency and variety of phishing attacks are rising, as is the percentage of attacks that actually hook a victim.According to Gartner, 57 million Americans know or suspect they have been victimized by a phishing attack. 11 million, or about 19% of those attacked, actually took the bait.
  • Consumers lose trust and confidence in e-commerce. The threat of phishing is almost too much to bear for online consumers who are already weary and wary from spyware, viruses, and spam. We’re two years into the spam epidemic, and Pew Internet Life reports that consumer confidence in e-mail has fallen to an all-time low. In its March 2004 survey of 1,371 Internet users, 63% said they are less trusting of e-mail. In June 2003, that number was 52%. This same study showed that 25% of e-mail users have actually reduced their use of e-mail or even stopped using it altogether.
  • The use of online banking services, on the other hand, is still , for now, booming. A survey by comScore Networks shows that more than 22 million users at the top 10 US banks accessed their accounts online in the first quarter, up 29% from the same time last year. And use of online bill payment services increased 37% over that same period. But if phishing threats continue and instances of ID theft and dollar losses mount, many more users may doubt the integrity of electronic communications with their financial institutions.

  • Failing effectiveness and falling trust in e-government. Consumers going online to pay taxes, register vehicles, and file for benefits may be disinclined to do so if they fear sensitive personal information may be compromised. As a result, the value, efficiency, and user-friendly service-centric approach to e-government is degraded and citizens find even baseline interaction with their government too risky to pursue.
  • Corporate images are tarnished. America’s marquis corporate images, brands that have taken decades to cement themselves atop the Fortune 500, take a heavy hit at the hand of phishers. After all, phishers rely on the name recognition of generally well established brands to support their rouse. What’s more, fear of phishing could mean that customers delete or ignore legitimate communications from their favored vendors and financial institutions. Users who are afraid to access their banks online will never benefit from the efficiencies of online billing and payment.

Help is on the way:

  • Continued enforcement of criminal laws. Phishers are already being brought to justice using existing law like Title 18 of the United States Code, which was strengthened in 1986 with passage of the Computer Fraud and Abuse Act. Active cases and some notable successful convictions are giving pause to criminal phishers. In March 2004, Zachary Hill pleaded guilty to phishing $75,000 from 400 AOL and PayPal users. He was sentenced to forty-six months in prison in May 2004. In January, Helen Carr of Ohio was sentenced to four years in prison for phishing, while her partner in crime, George Patterson of Pennsylvania, was sentenced to three years.
  • To help consumers at the local level, most FBI offices have Internet crime centers and the Secret Service is opening Electronic Crime Task Force offices all over the country. And most recently, in July 2004, President signed the Identity Theft Penalty Enhancement Act (ITPEA). This bill would add two years to prison terms for criminals convicted of using stolen credit card numbers and other personal data. This penalty strengthening should encourage more vigorous prosecution as longer terms give prosecutors more incentive to pursue ID thieves, including phishers.

  • Greater use of authentication technologies. Banks and other firms must engender public trust in their sites and their e-mail communication. One promising technology is an extension to Secure Multi-purpose Internet Mail Extensions (S/MIME), that would show users a corporate logo instead of a digital signature chain to prove the mail's been signed by a valid certificate authority. The standards for S/MIME already exist and are being marketed by companies such as VeriSign and Tumbleweed Communications. It’s supported in over 350 million deployed e-mail clients, including Microsoft Outlook, Lotus Notes, Novell Groupwise, Netscape Communicator, and Mac Mail. Other services offered by firms like RPost and Gigatrust provide legal and verifiable proof and protection for senders of email sent to any recipient anywhere in the world - regardless of what system or software the recipient uses.
  • New law enforcement tools against fraudulent authentication. These promising new authentication technologies are undermined when phishers use fake seals and certificates in their e-mails and on their websites. Prosecutors need specific, targeted enforcement tools that make it a crime to display phony certification credentials in e-commerce. In the Senate, two bills are aiming to address that need: S. 2636, which makes it a crime to fake a web page for fraudulent gain, and Senator Ensign’s newly introduced legislation that will criminalize the fraudulent use of digital signatures.
  • Rigorous standards for digital certificate issuers. Although technology standards exist, they are rendered meaningless unless there is a mechanism to ensure the iron-clad validity of digital certificates by legitimate issuers. Authentication technology becomes irrelevant if certificate issuers don’t do their jobs with integrity and diligence. Ensign’s new legislation also makes it a crime to assign certificates without validating the identities and legitimacy of the senders.

Conclusions

The plague of phishing demonstrates that as users go online to shop, read e-mail, and pay bills, that criminals and fraudsters unfortunately follow. Users need to recognize and be cautious of the threat and businesses need to protect their customers as well as their corporate image. While existing law may suffice in the near term, rigorous standards and harsh punishments need to be codified into law to stamp out phishers who use faked logos or digital certificates to ply their illegal trade of information theft. Only then will users have the confidence to go online to enjoy the choice and convenience of e-commerce.

NetChoice Coalition   1413 K. Street, NW

Print page